Hacking Humans 8.16.18
Ep 12 | 8.16.18

Sometimes less is more.


Michael Murray: [00:00:00] No matter how good a job Apple and Google are doing, I think there's always a need for a third party. This is why third parties in security always exist.

Dave Bittner: [00:00:09] Hello, everyone, and welcome to The CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire. And joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:30] Hi, Dave.

Dave Bittner: [00:00:31] As always, we've got some fun stories to share. And later in the show, we speak with Michael Murray from Lookout. He shares information about vulnerabilities specific to mobile devices.

Dave Bittner: [00:00:42] But before we jump into all of that, a quick word from our sponsors at KnowBe4. So how do you train people to recognize and resist social engineering? Here are some things people think. Test them, and if they fall for a test scam, fire them. Or, other people say, if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or, maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. How 'bout it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.

Dave Bittner: [00:01:24] And we are back with some stories to share. Joe, you're up first this week. What do you got?

Joe Carrigan: [00:01:28] Now, this one comes from Down Under, Dave.

Dave Bittner: [00:01:31] Right. Crikey (laughter).

Joe Carrigan: [00:01:33] The Australian Competition and Consumer Commission has this story on their website. And it's about Steve. That's probably not his real name, but...

Dave Bittner: [00:01:40] All right.

Joe Carrigan: [00:01:40] ...He is a retiree, 65-year-old man, lives alone. And, not long after his wife passed away, he receives an unexpected telephone call with an investment opportunity.

Dave Bittner: [00:01:49] OK.

Joe Carrigan: [00:01:50] Right? These people are essentially cold calling him, and it sounds very professional. And the people who call him seem to have excellent knowledge of investment matters.

Dave Bittner: [00:01:59] All right.

Joe Carrigan: [00:01:59] So they know all the lingo and everything.

Dave Bittner: [00:02:00] Right.

Joe Carrigan: [00:02:01] They answer all of Steve's questions. Their initial contact is followed up with a call from senior advisers. Right? These are people who are allegedly specialized in advising seniors on what to do with their money.

Dave Bittner: [00:02:13] Right. So I mean, that's not an atypical process there, where you have someone who reaches out to try to generate leads.

Joe Carrigan: [00:02:18] Right.

Dave Bittner: [00:02:19] And then it's followed up by someone higher up.

Joe Carrigan: [00:02:21] Seems legit, right?

Dave Bittner: [00:02:22] Yeah.

Joe Carrigan: [00:02:23] His current investments weren't doing so great so he decides he's going to go ahead and send them a small portion of his money. And he winds up sending them about 5 percent of what he has, which is around $10,000.

Dave Bittner: [00:02:36] OK.

Joe Carrigan: [00:02:36] If you're going to take a risk, you know, that seems like a reasonable thing to do - I'm going to see what happens with this first little bit and see if it turns out well. If it doesn't turn out well, I'm not out that much. I'm not hurt that bad. So he gives them $10,000, and they send him to a very professional-looking website. And they even give him an account that he can log in on. And the website shows his money growing as the market goes up.

Dave Bittner: [00:03:00] So he's got a way to track his investment on this website.

Joe Carrigan: [00:03:03] Right. There's no investment. His money's gone already.

Dave Bittner: [00:03:06] (Laughter).

Joe Carrigan: [00:03:07] That's the sad part.

Dave Bittner: [00:03:08] Right.

Joe Carrigan: [00:03:09] But he thinks it's not. He thinks it's there and that he's doing quite well. So over the course of the next 12 months, he winds up transferring $200,000 to these people. And then the first clue he has that something's wrong is when the website goes down and he can't reach anybody by phone.

Dave Bittner: [00:03:24] OK.

Joe Carrigan: [00:03:24] Then he starts doing some research. So a key takeaway from this story is before you send any money, that's when you do your research. Unfortunately, this guy did his research after he sent the money. And he finds that the company is not registered with the Australian Securities and Investment Commission. But, as we've talked about before, he's too embarrassed to tell anybody about this. He does get contacted by the police when they discovered his name on bank transfers made to known fraudsters. The police have heard about this, and they find out that he's made the transfer so they contact him.

Dave Bittner: [00:03:54] So he's lost over $200,000...

Joe Carrigan: [00:03:57] Right.

Dave Bittner: [00:03:57] ...But he's too embarrassed to let anyone know about it.

Joe Carrigan: [00:03:59] Yep.

Dave Bittner: [00:04:00] These people fly the coop so he can't get in touch with them anymore.

Joe Carrigan: [00:04:03] Right.

Dave Bittner: [00:04:03] And he figures it's just done. But then he gets a call from the police.

Joe Carrigan: [00:04:07] Right. And the police just contact him and say, you know, these were fraudsters. And he's like, of course. I know that now.

Dave Bittner: [00:04:12] (Laughter) He's, yeah. I'm well aware of that...

Joe Carrigan: [00:04:13] (Laughter).

Dave Bittner: [00:04:13] ...Thank you very much.

Joe Carrigan: [00:04:14] (Laughter) Yeah. Thank you for telling.

Dave Bittner: [00:04:14] Right.

Joe Carrigan: [00:04:15] But here's what else happens next.

Dave Bittner: [00:04:17] OK.

Joe Carrigan: [00:04:18] Then this guy gets a call from somebody with an offer to help him get his money back from the original investment. Right? But this time, he's smart, and he calls the police and he says, what's going on? They go, no, no, this is a follow-up scam. They're just trying to get more money out of you with your sunk cost fallacy. Right? So they know that you've thrown a lot of money down a hole, and they're going to try to get more money out of you with the belief that you can get this money back out of a hole, which you can't.

Dave Bittner: [00:04:44] Right.

Joe Carrigan: [00:04:44] That money's gone.

Dave Bittner: [00:04:46] So they try to give him a little more hope to say, at least you could get some of this money back. But, how much do you want to bet that in order to do that, he had to send them some more money?

Joe Carrigan: [00:04:54] Sure. That's exactly what he had to do, is, send them more money.

Dave Bittner: [00:04:58] That's awful.

Joe Carrigan: [00:04:58] It's terrible.

Dave Bittner: [00:04:58] Taking advantage of folks in their later years, worked their whole lives to save up money...

Joe Carrigan: [00:05:04] Yep.

Dave Bittner: [00:05:04] ...And these people, trying to steal it from them.

Joe Carrigan: [00:05:06] Check on your parents, folks.

Dave Bittner: [00:05:07] Yeah. Yeah. I mean, that's a great point. Share these kinds of stories with your parents. And especially that part about not being embarrassed to tell someone.

Joe Carrigan: [00:05:17] Right. We talk a lot on here about inoculation. Right? Just by knowing what the scam is or knowing what the lie is, that inoculates you against falling victim to it.

Dave Bittner: [00:05:27] Right. Right.

Joe Carrigan: [00:05:28] It's like a vaccine, a truth vaccine.

Dave Bittner: [00:05:30] But you need to tell your folks that, don't ever be embarrassed to share something with me. I have a friend who works with these sorts of things, and she suggested to me one of the best ways you can approach this is, go to your parents and frame it this way. Say, nothing would make me happier than being able to help you with something like this.

Joe Carrigan: [00:05:49] Right.

Dave Bittner: [00:05:50] Because your parents worry - they don't want to be a burden.

Joe Carrigan: [00:05:52] Right.

Dave Bittner: [00:05:53] So they're worried that they're going to cost you time, cost you money. But if you frame it to them and say, nothing would make me happier than to be able to help you with a situation like this, that helps remove that fear that your parents have...

Joe Carrigan: [00:06:06] Right.

Dave Bittner: [00:06:06] ...Of being a burden.

Joe Carrigan: [00:06:07] Right.

Dave Bittner: [00:06:07] So that's a useful suggestion there.

Joe Carrigan: [00:06:10] And then when they do call, you have to - you can't be like, ugh.

Dave Bittner: [00:06:13] Right. Right. Exactly.

Joe Carrigan: [00:06:15] (Laughter).

Dave Bittner: [00:06:15] Remember what I said about nothing would make me happier? Well, that was a lie.


Dave Bittner: [00:06:20] I am ashamed of you. You have disappointed me. No. No. Love your parents. Your parents love you. Love them back and take good care of them.

Joe Carrigan: [00:06:28] Yes.

Dave Bittner: [00:06:29] All right. Well, that's a good one. Boy, it's sad, though. Isn't it?

Joe Carrigan: [00:06:32] It is sad. It's terrible. It's - you know, my heart breaks for these people. They're getting taken advantage of. If something sounds too good to be true, it probably is.

Dave Bittner: [00:06:39] Right. Right. Although, it sounds like, in this case, it sounded legit. And that's what they do. It sounds legit. They knew the lingo.

Joe Carrigan: [00:06:46] Right.

Dave Bittner: [00:06:46] So this was a guy who was used to having investments, and he was hooked by these folks.

Joe Carrigan: [00:06:51] Right. And the amazing part is that they actually set up a website for him to actually watch things grow.

Dave Bittner: [00:06:56] Right.

Joe Carrigan: [00:06:57] That's pretty impressive.

Dave Bittner: [00:06:58] Well, that's a good story, Joe. My story this week comes courtesy of a friend of the show, Graham Cluley. Once again, he had a guest author on his website. This is from Bob Covello. And the title of the article is, "Phone Scam Exploits Russian Hacking Fears." We're all familiar with these phony tech support scam calls.

Joe Carrigan: [00:07:19] Right.

Dave Bittner: [00:07:20] So this is a variation on that. This is people calling and asking if you know people with Russian names. So (laughter) in this situation, the person who wrote this article got a call and said that Russians had connected to his network and that the caller was going to help fix it. And she said, do you know Dimitri (ph), Andreski (ph), comrade? And he said, no, I - well, he actually - the person in this case said, yes. I do. They're friends of mine. (Laughter). 'Cause he knew it was a scam. But, basically, I mean, getting back to the point of this is that what they're doing is they're taking advantage of all of the stories in the news about Russians attacking...

Joe Carrigan: [00:08:00] Yup. It's front of mind.

Dave Bittner: [00:08:01] Front of mind. Yup. They're tying into that a variation on the tech support scam taking advantage of something that is, I think, a fear and seems plausible that the Russians could be in your system.

Joe Carrigan: [00:08:12] So what's the payoff here? Is it, like, a tech support scam where it's...

Dave Bittner: [00:08:16] Well, it's - yeah.

Joe Carrigan: [00:08:16] ...You give me your credit card number, and I'll get rid of the Russians?

Dave Bittner: [00:08:18] Exactly.

Joe Carrigan: [00:08:19] OK.

Dave Bittner: [00:08:19] Exactly. We have evidence here that the Russians have broken into your computer, and for the low, low price of, you know, a thousand dollars, I will clear your computer magically and mystically. All you have to do is turn over complete control over your system.

Joe Carrigan: [00:08:31] So let me see if I got this right.

Dave Bittner: [00:08:33] (Laughter).

Joe Carrigan: [00:08:34] The Russian government, who has some of the best hackers in the world...

Dave Bittner: [00:08:38] Yeah.

Joe Carrigan: [00:08:38] ...Has control of my network. And, thankfully, you have called. And for the low, low price of a thousand dollars or something, you're going to get rid of a nation-state advanced persistent threat...

Dave Bittner: [00:08:47] Yes.

Joe Carrigan: [00:08:48] ...From my network. What a deal.

Dave Bittner: [00:08:50] Yes. Just...

Joe Carrigan: [00:08:51] (Laughter).

Dave Bittner: [00:08:51] ...Give me - hand over that credit card, Joe, and I will clear off your computer.

Joe Carrigan: [00:08:54] Shut up and take my money.

Dave Bittner: [00:08:55] No fuss, no muss. That's right. Just something to keep an eye on. Again, the article, if you want to dig into it, is over on Graham Cluley's website. A little variation on the tech support scam. All right. Joe, it is time for our Catch of the Day.


Dave Bittner: [00:09:16] Joe, this one comes from a listener named Andrew. He sent in this story. You're a pet owner, aren't you?

Joe Carrigan: [00:09:21] I am. I have a dog and three cats.

Dave Bittner: [00:09:23] Wow.

Joe Carrigan: [00:09:23] That's two cats too many, I like to say.

Dave Bittner: [00:09:25] That's a menagerie.

Joe Carrigan: [00:09:26] (Laughter) Right?

Dave Bittner: [00:09:27] We have a dog, also. And, of course, there's few things in life sadder than losing a pet. It's a tough thing. So listener Andrew sent in, and here's what he wrote us. He said, two years ago, we put down our 13-year-old family dog. She was obviously a big part of our family, and it was highly emotional when we lost her.

Dave Bittner: [00:09:44] Fast-forward to today. My wife is finally ready to entertain our kids and adopt a new puppy. One day, she started showing me pictures of a few possible pups from two different breeders she found online and really started to fall in love with a cute little Lab puppy in Texas. She reached out to the individual offering the puppy, via text, and started to explore what it would take to adopt her. They exchanged several texts where the seller assured her how the puppy was AKC certified, sent photos of the parents, et cetera. My wife was excited and told them she wanted to move forward. I had purposely let her run with all this, but when she told me she had made her decision and that we would have to send payment to the breeder via MoneyGram...

Joe Carrigan: [00:10:24] Bing.

Dave Bittner: [00:10:24] ...My guard immediately went up. I suggested she ask the breeder if we could all hop on the phone to talk through the process, which she did, and we waited for their response. In the meantime, I did a quick who-is search on the breeder's domain and was directed to a site, petscams.com, which documented that this domain belonged to an individual who had been reported for scamming people by posting stolen photos of puppies, taking money from would-be buyers and then disappearing.

Dave Bittner: [00:10:52] As we waited to hear back from the seller, I told her about my research, explaining that the MoneyGram request was the red flag that prompted me to do a little snooping. She was a bit shocked but then started to disclose some of the odd things she noticed in her exchange. For example, the seller's English wasn't so good. They also misunderstood a question about the puppy's temperament as a question about temperature, responding with something that flat out made no sense. In hindsight, she admitted, she dismissed some of this, assuming it was an older individual she was corresponding with, but also because she was emotionally attached to the idea of adopting this cute little puppy.

Joe Carrigan: [00:11:27] Right. That's the hook.

Dave Bittner: [00:11:28] She was feeling a bit foolish about being tricked but relieved we caught it. I suggested she reply to the seller with a sense of relief, mentioning that we're expecting a large sum of money from a long-lost relative in Nigeria...

Joe Carrigan: [00:11:41] (Laughter).

Dave Bittner: [00:11:41] ...And that as soon as we receive it, we will promptly send their fee via MoneyGram. So the story ultimately did end well. She just found a puppy from a local rescue...

Joe Carrigan: [00:11:51] Very good.

Dave Bittner: [00:11:51] ...Who accepted payment options other than MoneyGram. The puppy is happy, home and figuring out what a home with four children is all about.

Joe Carrigan: [00:11:59] Well, that's great that it ended well.

Dave Bittner: [00:12:01] Yeah. But, boy, I mean, this plays into so many of the things we always talk about.

Joe Carrigan: [00:12:05] Right.

Dave Bittner: [00:12:05] The emotional component. Pictures of a puppy.

Joe Carrigan: [00:12:09] Yup.

Dave Bittner: [00:12:10] Boy, that'll tug at your heartstrings.

Joe Carrigan: [00:12:11] Yeah. She's already emotionally invested in getting the puppy, and she likes this particular puppy, and the scammers know this.

Dave Bittner: [00:12:17] And because of that, she dismissed what should have been several red flags.

Joe Carrigan: [00:12:23] Correct...

Dave Bittner: [00:12:23] Understandable.

Joe Carrigan: [00:12:25] ...That this was an older person who might not be so good at using technology, like texting.

Dave Bittner: [00:12:29] Didn't so much dismiss as rationalize.

Joe Carrigan: [00:12:31] Rationalize. Right. Exactly. That's a better way to put it.

Dave Bittner: [00:12:34] Yeah.

Joe Carrigan: [00:12:34] I do think that the biggest red flag here for me, if I were in this position, would have been when I said temperament and you respond with something about the dog's temperature.

Dave Bittner: [00:12:44] (Laughter) Right.

Joe Carrigan: [00:12:44] As someone who has owned a dog now for almost 15 years - by the time this airs, my dog will be 15 years old. He's an old dog.

Dave Bittner: [00:12:51] Aw.

Joe Carrigan: [00:12:52] One of the things that I was looking into - he's my first dog, too, actually. I've never owned a dog before this. People talk about temperament. It's a very common feature of a dog that gets discussed a lot - this breed has a good temperament, this breed has a bad temperament.

Dave Bittner: [00:13:05] Yeah.

Joe Carrigan: [00:13:05] Or, can have a bad temperament. Or, how you raise them will dictate their temperament.

Dave Bittner: [00:13:09] Certainly, if you were a dog breeder, this would not be a new term for you (laughter).

Joe Carrigan: [00:13:13] Yeah. Temperament would not be a word that you should misunderstand.

Dave Bittner: [00:13:16] Right. Well, all's well that ends well, as we said. So again, thanks to our listener, Andrew, for sending this in. And that is our Catch of the Day. Coming up next, we've got my interview with Michael Murray from Lookout. But first, a word from our show sponsors, KnowBe4.

Dave Bittner: [00:13:36] Let's return to our sponsor, KnowBe4's, question, carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture, and sticks don't do that. Approach your people like the grownups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:14:24] And we're back. Joe, I recently spoke with Michael Murray. He's the vice president of security intelligence at Lookout. And we spoke about mobile devices, specifically about phishing attacks on mobile devices and some of the vulnerabilities there are on that side of things. So here's my conversation with Michael Murray.

Michael Murray: [00:14:42] I was talking to a customer recently, and they mentioned that they did a survey on their active directory. And over 75 percent of the authentication requests were now coming from mobile platforms rather than from traditional desktops and laptops. As the world moves more to that platform, the attackers are, too. And what we've seen is that the more sophisticated attackers go first, right? Unlike what we saw in the traditional evolution of the attack landscape on PCs where, you know, if you look back in the '90s, you saw the - you know, the script kiddies came first in a lot of ways. We saw the web defacements and things like that long before we saw global cybercrime and nation-state espionage.

Michael Murray: [00:15:21] On the mobile platform, it's gone the other way. And so the sophisticated phishing attackers have moved to the mobile platform first. Those folks have moved almost exclusively to phishing against a mobile platform, into installing malware on a mobile platform. And the interesting thing about that is when you move away from the desktop when you're talking about social engineering, the mobile platform is rich in that I no longer have to just send you an email. I can send you an email because we all get email on our phones these days.

Michael Murray: [00:15:51] But more interestingly than that, if I want to evade the corporate email controls, whether those controls are in the cloud, in, you know, G Suite or Office 365 or the traditional Exchange Server - everybody's got anti-phishing and products there - if I want to attack your mobile device, I can send you a text message. I can send you an iMessage if you're on iOS or a Hangout if you're on G Suite or Android. I can send you a Facebook message. I can send you Snapchat. I can send you WeChat, WhatsApp. And I'm too old and not cool enough to know whatever the other 50 things I could probably be sending you messages on that aren't protected by the corporations. So as a sophisticated attacker who wants to attack a person, I no longer have to go through the choke point of email. And that gives me so many more options as a sophisticated attacker to really trick you.

Dave Bittner: [00:16:45] Now, what is it about the fact that this device is mobile? You know, I'm thinking of the difference in the state of mind between me sitting at my desk at my computer at work and I'm on the move. I might be out and about. I might be traveling to a customer site. I might be in the grocery store shopping. I might be at a movie. You know, what is the difference that opens me up to different types of attacks from one location to the other?

Michael Murray: [00:17:11] You intuited something really interesting, and, actually, if you look at the history of social engineering, urgency has always been a driver of social engineer - right? - you know, the traditional pretexts. And you see these in, like, the social engineering capture the flag. If I can get someone reacting from unconscious process - right? - if I can move their processing from a very deliberate state to a state where they're somewhat distracted, they're more likely to give me the information you're talking about. So like you said, if you're sitting at your desk quietly relaxed, you might be more thoughtful about the communication that you get than if you're in all of those places. So the mobility aspect gives you the ability to catch someone off guard a little bit.

Michael Murray: [00:17:54] The other parts of this, though - and I think it's much more interesting - and the research that we've done on our own customers and in our own user base actually shows that users on a mobile platform are - even with a traditional-style phishing attack, users on a mobile platform are about three times more likely to fall for a phishing attack on a mobile platform than on a traditional desktop, even with the same phishing attack. And the reason for that is partially what you talked about, right? Partially, we're more distracted when we're using a mobile device just by the nature of it.

Michael Murray: [00:18:25] But more than that, if you think about the tradition of anti-phishing efforts and the security awareness efforts, all the things we've taught our users over the last 15 years - whatever timeframe you want to put that in - are very PC centric. And what do we tell them? Hover over the links with your mouse. Well, good luck doing that on a mobile platform. Look at the site and make sure it looks like the site that you're used to. Well, by nature, the sites in a mobile browser look different than they look on a PC. So all of these pieces come together to create a platform and an opportunity for the phisher to evade all the things we taught our users over the last 15 to 20 years. It's not just the fact that they're mobile and distracted. It's also that we become a victim of our own success in some way. We taught people how to recognize a phishing email, and then we've given them a little box to put in their hands where none of that works anymore.

Dave Bittner: [00:19:22] I think there's a perception that the mobile operating systems themselves have a higher level of security than the desktop systems. The fact that they are within a certain degree of walled gardens for getting apps - newer operating systems, they don't have the history of attacks that perhaps the desktop systems do. Do you think that gives people a false sense of security?

Michael Murray: [00:19:42] One hundred percent. So it's a funny juxtaposition of a bunch of factors all at the same time. Now, here's the deal. I actually agree with the statement. I think if you give me a modern iOS or Android device, you know, a Pixel or an iPhone X or whatever, and you put that up against a circa 2003 Windows 2000 Win32 device, I will tell you the mobile platform is a heck of a lot more secure. That said, the attackers that were attacking Windows in 2003 are not nearly as sophisticated as the attackers that are attacking mobile in 2018. And so while the OS has evolved, so have the attackers. And so we've created a much more secure OS. There's no question about that.

Michael Murray: [00:20:29] We've also created an OS that is much harder to secure, right? It's one of the reasons you don't see the traditional security vendors playing in the mobile security space nearly as much. If you think about almost all of the security products that we've built for endpoint security over the history of computer security - you know, the Symantecs, the McAfees, even the modern and really advanced stuff, the Cylances, the CrowdStrikes, the SentinelOnes, those folks - they're all built with the idea of ring 0 access to the device, right? I could literally wire myself into the kernel and I could see everything that's happening on a device. But on a mobile platform, it's much harder to secure that platform. We at Lookout know this, right? We have built a company around being good at this.

Michael Murray: [00:21:13] But it's not nearly as easy to be a security solution on a mobile platform because that walled garden extends to everyone. While it is more secure inherently than the old Win32 or the Mac OS or the Linux device by itself - those devices are more inherently secure, they're also harder to secure. So that false sense of security - yeah, it's a true statement to say those platforms are more secure. It's also a true statement to say those platforms, while they are more secure, if they have a problem, they're harder to keep secure. And even beyond that, you're not looking at the script kiddie attacker. You're talking about nation-states and serious cybercriminals. And those people are investing millions or tens of millions of dollars into figuring out a way around that security. So I think it's both true and false all at the same time, if that makes any sense.

Dave Bittner: [00:22:03] I want you to bear with me while I make what I think is going to be an imperfect metaphor here. But I remember back when I was a kid coming up, you know, the movie "Jaws" and interviews with Steven Spielberg who said that part of what made that movie successful and what made it so scary was that they couldn't show the shark, that the shark didn't work very well. And so by hiding the shark, that made the shark even more scary to the viewers because they filled everything in with their imagination. It strikes me that when I have seen success with a lot of these phishing attempts, sometimes less is more. A message that says, hey, have you seen this may be more successful than three or four paragraphs of - you know, I'm more likely to catch on to a long narrative that maybe something is up. Do you think there's something to that? Am I getting anywhere with that metaphor?

Michael Murray: [00:22:49] You are. You - actually, to flip it over and tell you a story - one of my team came to me the other day and said, check out this phishing message that I got through WhatsApp. The message was simple - I found someone posting pictures of you online - and a link. That was it, the whole message. Think about how powerful that is, and it's exactly the metaphor you just used, right?

Dave Bittner: [00:23:08] Right.

Michael Murray: [00:23:08] It sparks your curiosity in a way that if someone had sent a longer email or even if the text message had been three sentences - I found someone posting naked pictures of you online. Well, my first thought is I've never taken naked pictures.

Dave Bittner: [00:23:23] Right.

Michael Murray: [00:23:24] So I'm not going to click on that and that's clearly a problem, right? By leaving it so vague, they actually opened up the opportunity for the user to fill it in with their imagination. And, man, I will tell you the more I see phishing messages against the mobile platform, the more that less-is-more thing comes into play. And we've seen some incredibly sophisticated ones. It is so powerful and especially because we're so used to - you know, you talked about the walled garden in app stores, but I think we've been lulled into the belief that many things online are a walled garden, right? We know that email is full of phishing scams and spam and all of this because we've been doing that for 25 to 30 years. We still think that Facebook is a walled garden. And if you don't believe that, go look. Everyone's got friends who post things on Facebook they would never say in the real world, right?

Dave Bittner: [00:24:17] Yeah.

Michael Murray: [00:24:18] It's like I'm on a computer. I'm only talking to my friends, so I can trust anything that they say and they can trust anything that I say. And we have that belief all over. You know, Snapchat exists as a company with the idea that all of those messages are private and disappear. Well, what better place to send you a message to scam you than a place that you inherently believe will be secure? Ditto all these encrypted end-to-end messengers, you know, the WhatsApps, the Signals, the Wickrs, all of these, right? We've been lulled into the belief that these are environments in which we can communicate securely and privately with our friends. Any message that comes through that channel, I already am inclined to believe, you know, by believing in the marketing of the product that that message has more security than the email that I got on the same topic. And so, you know, you're much more likely to click on those things.

Michael Murray: [00:25:13] This is why that the - the research that we've been doing finds that the mobile platform is so fertile a ground for these targets. And we've started to see more of that. And I think 15 years from now, we will probably treat all of those channels the same way we treat email. We will have that same inherent suspicion. But for now, we really buy it. We really buy the idea that messages sent to me directly on my phone, while they require that somebody knows my phone number and, clearly, I only give my phone number to people that I actually trust and want to talk to me, so most of the time, those are real things.

Dave Bittner: [00:25:51] So Michael Murray from Lookout - lots of good information shared there.

Joe Carrigan: [00:25:54] Indeed. One of the big factors here, as he points out, is that mobile devices now account for 75 percent of active directory logins. That's astounding. I had no idea that was the case. Mobile users are three times more likely to fall for a phishing attempt for all the reasons he points out. Mostly, it's a UI issue, right...

Dave Bittner: [00:26:12] Right.

Joe Carrigan: [00:26:13] ...Where you can't do on a mobile device what you can do on a PC or a laptop to make sure it works. One of the things that I think that is - probably also contributes to the problem of mobile security is these are users' devices. They're your own devices. It's the BYOD situation, right? So it's not like a device that the company has management authority over. I mean, they could put policies on it, like if you enter the wrong code 10 times, your mobile device gets wiped...

Dave Bittner: [00:26:40] Right.

Joe Carrigan: [00:26:40] ...And everything's gone. These are your own devices.

Dave Bittner: [00:26:43] There's a spectrum of how much is this mine and how much is this theirs?

Joe Carrigan: [00:26:47] Right. And...

Dave Bittner: [00:26:47] If my company issues me a laptop...

Joe Carrigan: [00:26:50] That's theirs.

Dave Bittner: [00:26:50] And it's theirs, and so I'm going to be extra careful that I don't do anything that's going to put them at risk or put me in any sort of embarrassing or compromising position.

Joe Carrigan: [00:27:00] Right.

Dave Bittner: [00:27:01] But I think it's a little fuzzier when you bring the device to the table.

Joe Carrigan: [00:27:04] Three takeaways from this.

Dave Bittner: [00:27:06] Yeah.

Joe Carrigan: [00:27:06] One is that ambiguity (ph) is the ally of the social engineer. You know, like you said with "Jaws..."

Dave Bittner: [00:27:13] Yeah.

Joe Carrigan: [00:27:13] ...Let the users' imagination do the work for you as a social engineer. Two, there's a false sense of security that we get from these apps like Snapchat, Telegram and whatever. And that kind of works to the attackers' advantage. I'm in the same boat that Michael is. I don't know how to use these apps.


Joe Carrigan: [00:27:30] You know, Snapchat infuriates me. I have it, but I don't understand how to use it. I still refer to Snapchat as the Snapchat just for the sake of my children and irritating them.

Dave Bittner: [00:27:40] (Laughter) Yes, the Facebook, the Snapchat.

Joe Carrigan: [00:27:43] The Facebook, the internets - and here's the third takeaway, and that is that it's really helpful to have a third party come in and evaluate your security because you do tend to get blind to a lot of things. I remember when I was in - doing development. I'd be sitting there for a couple of hours banging my head against a problem, and I couldn't resolve it. And I would just call one of my co-workers over and say can you take a look at this to see what my problem is? And usually it was my co-worker Nancy (ph). And she'd come over, take 2 seconds to go, well, there's your problem, and point to a line of code and say, that operator is wrong. And I'd be like I'd been looking at that operator, glossing over it for an hour, and I just never saw it. And I think that happens organizationally too, that you start thinking about these things, but you've already got a preconceived notion in your head about the way things are. And there's probably some kind of groupthink that plays into this as well.

Dave Bittner: [00:28:36] Yeah.

Joe Carrigan: [00:28:37] You just can't see the forest for the trees, or you can't see the vulnerability for the software.

Dave Bittner: [00:28:42] As we've seen, there's sure to be some holes here and there.

Joe Carrigan: [00:28:45] Guarantee there's holes in everything.

Dave Bittner: [00:28:48] Yeah. All right. Well, that is our show. As always, thanks to everybody for listening.

Dave Bittner: [00:28:51] And thanks to our sponsor, KnowBe4, for help inoculating your organization's employees against social engineering with their new school security awareness training. Talk to KnowBe4 and be sure to sign up for their Cyberheist News at knowbe4.com/news. That's knowbe4.com/news. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.

Dave Bittner: [00:29:20] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:29:40] And I'm Joe Carrigan.

Dave Bittner: [00:29:41] Thanks for listening.